Financial transactions, such as banking transactions, online purchases, etc., are increasingly being performed with mobile computing devices, such as mobile phones, tablets, etc. This means that users are increasingly conducting financial transactions from different locations and using different devices, whereas users previously tended to use the same terminals, such as a work computer and/or a home computer to conduct such transactions. As the number of mobile transactions increases, it has become more important, and more difficult, to monitor such transactions for fraud.
Some existing fraud prevention solutions attempt to identify a device that is used for conducting the transaction. Once a fraudulent transaction is determined to have originated from a particular device, the device can be added to a negative list, i.e. a list of devices known to have been used to conduct fraudulent transactions. This can deter bad actors (“fraudsters”) from using the same device to conduct subsequent fraudulent activities.
Existing device identification solutions may use a combination of a device ID and a device fingerprint to positively identify a particular device. A device ID is a time-stamped token stored on a user device. This token could possibly be encrypted, and can be retrieved at any time and used to uniquely identify a particular device. However, it may be easy for a fraudster to steal this token and move it to another machine. Moreover, a user device may block the storage or the cookie or token. Thus, a device ID may or may not be present on a particular device.
A device fingerprint is a collection of data elements that are obtained from the device and that can be used to identify the device. The data elements are based on the configuration of the device and/or the operational characteristics of the device, and can include elements such as browser type, browser revision number, operating system, screen attributes, etc. Device fingerprints are also referred to as “machine fingerprints” or simply “fingerprints.” A browser fingerprint is a device fingerprint generated from information about the configuration of a web browser on the device. Device fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off.
It has been estimated that browser fingerprinting can generate a signature having 18.1 bits of entropy, and that another 5.7 bits of entropy can be added from so-called “canvas fingerprinting,” in which a browser is instructed to draw a hidden image, and information about the CPU or graphics driver of the device can be inferred from the image.
As will be appreciated from the foregoing description, device fingerprinting can take the form of passive fingerprinting, in which configuration data is obtained without overtly querying the device for information, and active fingerprinting, in which the device is directly queried for information. In general, passive collection of device attributes below the web-browser layer may occur at several layers of the OSI communications model. In normal operation, various network protocols transmit or broadcast packets or headers from which client configuration parameters can be inferred. Examples of such protocols are FTP, HTTP, Telnet, TLS/SSL, DHCP, SNMP, NetBIOS, TCP, IPv4, IPv6, ICMP, IEEE 802.11, SMB, and CDP.
In addition to canvas fingerprinting, active fingerprinting may involve placing executable code directly on the device. Such code may have access to attributes not typically available by other means, such as the MAC address, or other unique serial numbers assigned to the machine hardware.